Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Johan_Rudberg
Contributor

Lan2Lan vpn Checkpoint R80.10 <-> Ingate FW

Hello

Does someone have experience with lan2lan vpn between checkpoint and ingate firewalls? We have a problem that every 1 hour the vpn tunnel goes down with the error in the checkpoint log like: Reject IKE failure no response from peer.

We have checked in both ends that the subnets we send through the tunnel are correct and they match, same as for all the IKE and IPSEC settings like SA lifetime they also match on both ends, that is SA in Phase 1 and 2 is 1 hour.

Permanent tunnel is also enabled on the checkpoint side with no improvement.

5 Replies
_Val_
Admin
Admin

How do you authenticate? With Certificates or pre-shared secret? Regular Phase 1 failure usually means CLR is unreachable when VPN is up. Renegotiation fails, tunnel goes down, CLR is reachable again, tunnel goes back up for an hour. 

0 Kudos
Johan_Rudberg
Contributor

We have pre shared secret and they also match on both ends. Tunnel goes up and after 1 hour it goes down again with errors then it goes up and so forrth.

0 Kudos
_Val_
Admin
Admin

Now, that should not happen. If checkpoint says "no response from peer", you need to look on Ingate side. However, I still think it makes sense to run vpn debug on CP side to see which part of Phase 1 is failing. 

0 Kudos
Johan_Rudberg
Contributor

Is it safe to turn on debug in a production env? our customer says that the vpn dies once every hour, it sounds like ike/ipsec key negotiations fails for some reason.

0 Kudos
_Val_
Admin
Admin

vpn debug is safe. Essentially, vpnd (the process doing IPSec negotiations) is jsut printing out some additional details into two log files. Nothing in kernel, should not be a problem. 

However, if you are not comfortable with it, open a support case so out TAC engineer could assist you

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events